From secunia security advisory at $URL: Description: The vulnerability is caused due to an integer overflow within the "ap_pregsub()" function (server/utils.c) and can be exploited to cause a heap-based buffer overflow via a specially crafted ".htaccess" file. The vulnerability is confirmed in versions 2.2.21. Solution: Not fixed atm.
https://svn.apache.org/viewvc?view=revision&revision=1198940 here is the fix.
CVE-2011-3607 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3607): Integer overflow in the ap_pregsub function in server/util.c in the Apache HTTP Server 2.0.x through 2.0.64 and 2.2.x through 2.2.21, when the mod_setenvif module is enabled, allows local users to gain privileges via a .htaccess file with a crafted SetEnvIf directive, in conjunction with a crafted HTTP request header, leading to a heap-based buffer overflow.
Added to existing GLSA request.
This issue was resolved and addressed in GLSA 201206-25 at http://security.gentoo.org/glsa/glsa-201206-25.xml by GLSA coordinator Tobias Heinlein (keytoaster).